Re: ISA - IIS - SSL question

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

From: Jason Helms (jasonh_at_cghinsurance.com)
Date: 02/23/04 

Date: Mon, 23 Feb 2004 09:07:43 -0600

Don't know if this is the best way to do this, but here's how I did it:

I installed the SSL cert on my IIS server only to generate a private/public
matching keyfile. I then exported that keyfile and removed the cert from
IIS.

Then, transported keyfile to ISA server and installed it into the Web Proxy
certificate store. Enabled SSL Listeners on ISA server for our public IP
address, and then went into the properties of the Web Publishing Rule for
the SSL site in question.

I set all SSL requests to be redirected as HTTP (terminate secure channel at
proxy), but required SSL connection & 128 bit encryption.
That eliminated all of our errors and allowed us to use SSL for our secure
site.

However, I would only recommend doing this if your ISA server is the only
point of entry/exit of your network. If you have any dial-in access or VPN
that is made available to the internet by a device other than your ISA
server, I would do SSL all the way through to your internal IIS machine.

We can get away with it here because our internal network is extremely
locked down.

HTH-

Jason

"Noodles" <alexfurlong@hotmail.com> wrote in message
news:Xns9495BDA2BB978noodlehotmailcom@216.168.3.30...
> I've been studying the best way to get SSL to work (bridging) behind the
> ISA server. Here is my problem.
>
> My SSL Certificate is installed on the IIS and ISA. I have a destination
> set and a publishing rule set up. Without SSL (http) the site works fine.
> When I try to use SSL (https) I get the following error.
>
> "500 Internal Server Error - The network logon failed. (1790)
> Internet Security and Acceleration Server"
>
> If I change the publishing rule bridging rule from SSL (est. a secure
> channel)-default- to HTTP(terminate the secure channel at proxy) HTTP and
> HTTPS works fine.
>
> Now the only thing I can figure might be wrong is in the acton tab. I
> redirect the web request to the internal IIS server name not the FQDN of
> the site (ex. iisserver.mydomain.com not www.mydomain.com). Is this my
> problem? And if so, what would be the best way to correct this. I tried
> to create an alias DNS entry www for my internal server but I get a
> "10061 - Connection refused" error.
>
> Thanks

Relevant Pages

  • RE: Problems accessing SSL encrypted webpages in SBS 2003
    ... RWW from Internet via SSL. ... Please open Server Management console, navigate to 'To Do List' and click ... 'Connect to the internet' in the right panel. ... recommended to use the wizard to configure the SBS server. ...
    (microsoft.public.windows.server.sbs)
  • Re: HTTPS-HTTPS web publishing
    ... After a couple of tweaks to publishing rules ... the sbs company web, owa, portal server, and project server are working over ... > Here's an article that deals with exporting the SSL cert from your web ... >> access the internet fine. ...
    (microsoft.public.isa)
  • RE: SSL Publishing to WEB Server and Disable Binding
    ... To answer your concern, you can feel to publish this SSL web site, and the ... Socket pooling causes Internet Information Services ... pooling won't impact the default web site on the SBS server. ...
    (microsoft.public.windows.server.sbs)
  • Most users cant connect to our SSL-- help!
    ... I've included all relevant SSL settings from our ... Subject: Large percentage of customers cannot connect to https: ... server, which then grinds indefinitely. ... "2) Your secure order form is not working. ...
    (comp.security.misc)
  • Most users cant connect to our SSL-- help!
    ... I've included all relevant SSL settings from our ... Subject: Large percentage of customers cannot connect to https: ... server, which then grinds indefinitely. ... "2) Your secure order form is not working. ...
    (comp.security.ssh)